Security and Compliance for VMware Cloud Foundation provides guidance for auditors who would want to evaluate their VMware Cloud Foundation environment. You can leverage SDDC benchmarks and regulatory frameworks available under VMware Cloud Foundation to be able to assess individual SDDC components based on needed benchmarks or regulatory frameworks of your choice.

VCF Audit Guide

Compliance Kit for VMware Cloud Foundation is a solution that builds on top of VMware Cloud Foundation and leverages security fundamentals. The kit addresses the top ten most frequently requested compliance standards, regulations, and frameworks.

The compliance kit is designed and validated to tailor security configurations without impacting the ability of VMware Cloud Foundation to meet its design objectives. The kit can assist organizations to secure information systems in a compliance context.

The VCF Audit Guide is part of the Compliance Kit for VMware Cloud Foundation and can be used to evaluate both default and non-default configurations. For more information, see the topic, Compliance Kit for VMware Cloud Foundation in the VMware Cloud Foundation Product Documentation.

The .xlsx file, that is based on the VCF Audit Guide, containing a collection of all compliance conditions required for assessing compliance of VCF environments is available in the KB article: KB94849.

Versions of the supported VMware Cloud Foundation Compliance kits are:
  • VCF 4.2 Audit Guide
  • VCF 4.3 Audit Guide
  • VCF 4.4 Audit Guide
VMware Aria Operations supports the following products for VCF Benchmarks:
  • ESXi,
  • SDDC Manager,
  • vCenter Server,
  • vSAN
  • NSX
Within these products, VMware Aria Operations can measure the compliance of the following resources:
  • VMware Distributed Virtual Switch
  • VMware Adapter Instance
  • Virtual Machine
  • Host System
  • Logical Router
  • NSX
  • NSX Manager Service
  • Logical Switch
  • Management Cluster
  • VCF Adapter Instance
  • vSAN
  • DC
  • Cluster
Note: Assessment of objects starting from version VMware Cloud Foundation 4.4 and above is done based on VCF 4.4 Audit Guide.
Note: You must configure the VMware Cloud Foundation data source before you can configure the VCF benchmarks. For information, see the topic, VMware Cloud Foundation in the Configuring VMware Aria Operations guide.